Solved garlin's PowerShell scripts for updating Secure Boot CA 2023
- Thread starter garlin
- Start date
What's the output from this PS command? Do you have zero or multiple drives reported?
Code:
Get-Disk | Where-Object {$_.IsSystem -eq $true}My Computer
System One
-
- OS
- Windows 7
- Local time
- 9:55 PM
- Posts
- 290
- OS
- windows 11
I updated SVN to version 8.0.
Regarding SkuSiPolicy.p7b policy, what is the Microsoft source for its update? I used this page to apply the policy on a computer, and the last update to this page is December 17, 2025:
"Changes made to this article
Change date Description
December 17, 2025
Updated the commands in Step 2 of the "Deploying a Microsoft-signed revocation policy (SkuSiPolicy.p7b)" section as the commands were not working correctly.
From:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x20 /f
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
To:
$PolicyBinary = $env:windir+"\System32\SecureBootUpdates\SkuSiPolicy.p7b"
$MountPoint = 's:'
$EFIDestinationFolder = "$MountPoint\EFI\Microsoft\Boot"
mountvol $MountPoint /S
if (-Not (Test-Path $EFIDestinationFolder)) { New-Item -Path $EFIDestinationFolder -Type Directory -Force }
Copy-Item -Path $PolicyBinary -Destination $EFIDestinationFolder -Force
mountvol $MountPoint /D"
Regarding SkuSiPolicy.p7b policy, what is the Microsoft source for its update? I used this page to apply the policy on a computer, and the last update to this page is December 17, 2025:
"Changes made to this article
Change date Description
December 17, 2025
Updated the commands in Step 2 of the "Deploying a Microsoft-signed revocation policy (SkuSiPolicy.p7b)" section as the commands were not working correctly.
From:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x20 /f
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
To:
$PolicyBinary = $env:windir+"\System32\SecureBootUpdates\SkuSiPolicy.p7b"
$MountPoint = 's:'
$EFIDestinationFolder = "$MountPoint\EFI\Microsoft\Boot"
mountvol $MountPoint /S
if (-Not (Test-Path $EFIDestinationFolder)) { New-Item -Path $EFIDestinationFolder -Type Directory -Force }
Copy-Item -Path $PolicyBinary -Destination $EFIDestinationFolder -Force
mountvol $MountPoint /D"
My Computer
System One
-
- OS
- windows 11
Starting from April 2025, W10 or W11 Monthly Updates will push changes to C:\Windows\System32\SecureBootUpdates.
This may include new versions of the DBXupdate.bin, DBXUpdateSVN.bin and SkuSiPolicy.p7b files.
Prior to Secure Boot getting more attention, SkuSiPolicy.p7b was updated once a year when a new Windows was released in October. Now, it's refreshed every time a new security fix is added to the boot manager file. There doesn't appear to be explicit messaging from MS when the policy file changes, so we need to periodically compare the reference copy from SecureBootUpdates.
If you don't bother updating your Windows, your SkuSiPolicy.p7b might be woefully out of date. There isn't a single reference page like for Defender which lists the latest policy version number. SkuSiPolicy.p7b is a signed, binary encoded version of a XML policy file. Without a special function to decode the contents, you can't know what version you have unless someone publishes the file size or checksum.
I'm using a shortened Get-CIPolicyParser function from Matthew Graeber to extract the version number.
My Computer
System One
-
- OS
- Windows 7
- Local time
- 9:55 PM
- Posts
- 290
- OS
- windows 11
OK, thanks, I'll probably use your script to update it.
If I don't use your script and I update Windows, SkuSiPolicy.p7b will be updated, right?
My Computer
System One
-
- OS
- windows 11
This part is unclear. Setting AvailableUpdates = 0x20 will force the Secure Boot update task to refresh SkuSiPolicy.p7b.
Now is that something you're supposed to do, or should Windows do this for you? I get the feeling that it's a future goal to have the Secure Boot task silently take care of this after a recent update. MS has all of the puzzle pieces, but they might not be ready to turn on automatic updates.
For now, it wouldn't hurt to run the check script after Patch Tuesday's just to confirm there wasn't a recent change.
My Computer
System One
-
- OS
- Windows 7
- Local time
- 9:55 PM
- Posts
- 290
- OS
- windows 11
Yeah, if Microsoft updates it automatically.
I'll use your script and wait and see if Microsoft updates it automatically later.
My Computer
System One
-
- OS
- windows 11
My Computers
System One System Two
-
- OS
- Windows 11 Pro 25H2 26200.8457
- Computer type
- PC/Desktop
- Manufacturer/Model
- Dell Tower Plus EBT2250, DOB: 06/15/2025
- CPU
- Intel® Core™ Ultra 7 265 1.8GHz to 5.3GHz (Arrow Lake)
- Motherboard
- Dell Inc. 02D3NT A00 (U3E1)
- Memory
- SK Hynix 32GB DDR5 5600 Desktop RAM UDIMM Non-ECC PC5-5600B
- Graphics Card(s)
- Dell NVIDIA® GeForce RTX™ 4060 8GB GDDR6 & (iGPU) Integrated Intel® UHD Graphics
- Sound Card
- Chipset Realtek High-Definition Audio with Dolby Atmos
- Monitor(s) Displays
- Dell Ultra Sharp U2515H 25-Inch Screen LED-Lit
- Screen Resolution
- 2560 X 1440
- Hard Drives
- Samsung (NVMe PM9C1a 1024GB) M.2 PCIe NVMe Solid State Drive (OS), with Samsung Piccolo (S4LY022) 6-Core 4 Channel Controller.
Samsung T7 500GB SSD, USB-C External Drive
- PSU
- Dell 460W
- Case
- Dell Tower Plus EBT 2250
- Cooling
- Fan
- Keyboard
- Dell Wired Keyboard - KB216
- Mouse
- Logitech M510
- Internet Speed
- Intel Killer E3100G 2.5 Gigabit Ethernet Controller
- Browser
- Microsoft Edge
- Antivirus
- Microsoft Windows Security
- Other Info
- The Samsung NVMe PM9C1a 1024GB SSD does not use a Phison NAND controller. Instead, it uses Samsung's in-house developed Piccolo (S4LY022) 6-Core 4 Channel Controller. The PM9C1a utilizes a controller built using Samsung's 5-nanometer process and seventh-generation V-NAND technology.
-
- Operating System
- Windows 11 Pro 25H2 26200.8457
- Computer type
- Laptop
- Manufacturer/Model
- Dell Inspiron 15 7000 (7591) 2-in-1, DOB: 11/30/2019
- CPU
- 10th Generation Intel Core i7-10510U Processor (8MB Cache, up to 4.9 GHz) Comet Lake
- Motherboard
- Dell 0NNW5N
- Memory
- 16GB DDR4 RAM
- Graphics card(s)
- NVIDIA® GeForce® MX250 with 2GB GDDR5 graphics memory
- Sound Card
- Chipset Realtek ALC3254
- Monitor(s) Displays
- Dell 15.6-inch UHD Truelife Touch Narrow Border WVA Display with Active Pen support
- Screen Resolution
- 3840 x 2160
- Hard Drives
- Intel NVME 512GB SSD with 32GB Intel Optane Memory, M.2 80mm PCIe 3.0 RAID
SanDisk 256GB Extreme microSDXC UHS-I Memory Card
- PSU
- Dell 4-Cell Battery, 68 Whr (Integrated), 90 Watt AC Adapter
- Case
- Dell Inspiron 15 7000 2-in-1 (7591)
- Cooling
- Standard Dell Case Fan & Havit HV-F2056 USB Powered (3 Fans) Laptop Cooling Pad.
- Keyboard
- Dell
- Mouse
- Logitech Wireless Mouse M650L
- Internet Speed
- Wireless/Wired connectivity (WiFi 6 - 802.11 ax)
- Browser
- Microsoft Edge
- Antivirus
- Microsoft Windows Security
- Other Info
- From Dell: 512GB NVME Solid State Drive accelerated by 32GB Intel Optane Memory are the fastest as compared to NAND SSDs. Intel Optane H10 with SSD offers speedy storage and accelerates opening your programs.
- Local time
- 9:55 PM
- Posts
- 290
- OS
- windows 11
I just updated SkuSiPolicy.p7b on a computer using your script, and it worked. Then I checked it with your script.
Before that, I tried twice with reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x20 /f
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update", but it didn't work.
Before that, I tried twice with reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x20 /f
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update", but it didn't work.
My Computer
System One
-
- OS
- windows 11
- Local time
- 3:55 PM
- Posts
- 83
- OS
- Windows 11
MS should hire you for, let's say 6 months
I think you could help them get it all working as it should be, like you explained in this thread
Then, again, maybe you already work for MS... ?
But I think we can all agree, who ever you work for, or are retired, one thing is for sure, your help is greatly appriciated !!!
My Computer
System One
-
- OS
- Windows 11
- Local time
- 9:55 PM
- Posts
- 290
- OS
- windows 11
MS has enough folks working on different Secure Boot features. High-level coordination and public messaging is my concern.MS should hire you for, let's say 6 months
I think you could help them get it all working as it should be, like you explained in this thread
Then, again, maybe you already work for MS... ?
There isn't a Brandon or Amanda equivalent for Secure Boot evangelism.
Sadly I have way too much insight on how the MS
My Computer
System One
-
- OS
- Windows 7
- Local time
- 3:55 PM
- Posts
- 410
- OS
- Windows 11 Home, ver 25H2 build 26200.8246
On my unsupported machines I've been running fine after adding the 2023 certs (see output below.) But I've updated the policy SkuSiPolicy.p7b to 8.0 and now can't boot Macrium media without getting the violation notice that it wants to see v 8 but finds v. 7 on the USB stick. I've tried updating the USB media using Make2023BootableMedia.ps1 and UpdateMyBootFile.ps1 but that hasn't been successful. I've searched the forum for instructions but can't seem to find the correct info to update my USB media, which has been working up til updating the machines for SkuSiPolicy.p7b. I apologize for not being able to find the right instructions here as I'm sure they are here . . . .
PS C:\Program Files\PowerShell\7> powershell -nop -ep bypass -f C:\temp\Check_UEFI-CA2023test.ps1 -Verbose
Windows 11 25H2 (26200.8246)
Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF
BIOS Firmware
-------------
ASUSTeK COMPUTER INC. K30AD_M31AD_M51AD
Version: 0802
Date: 2015-08-02
Factory Default UEFI PK Cert
----------------------------
(NONE)
UEFI PK Cert
------------
Windows OEM Devices PK
Factory Default UEFI KEK Certs
------------------------------
(NONE)
UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
Factory Default UEFI DB Certs
-----------------------------
(NONE)
UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 0
UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0
EFI_CERT_SHA256_GUID Signatures: 439
EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 8.0
Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.
SkuSiPolicy.p7b is CURRENT.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\SkuSiPolicy.p7b
Version: 33284.17421.33440.335
STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated
SUCCESS: NO UPDATES ARE REQUIRED.
PS C:\Program Files\PowerShell\7>
PS C:\Program Files\PowerShell\7> powershell -nop -ep bypass -f C:\temp\Check_UEFI-CA2023test.ps1 -Verbose
Windows 11 25H2 (26200.8246)
Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF
BIOS Firmware
-------------
ASUSTeK COMPUTER INC. K30AD_M31AD_M51AD
Version: 0802
Date: 2015-08-02
Factory Default UEFI PK Cert
----------------------------
(NONE)
UEFI PK Cert
------------
Windows OEM Devices PK
Factory Default UEFI KEK Certs
------------------------------
(NONE)
UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
Factory Default UEFI DB Certs
-----------------------------
(NONE)
UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 0
UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0
EFI_CERT_SHA256_GUID Signatures: 439
EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 8.0
Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.
SkuSiPolicy.p7b is CURRENT.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\SkuSiPolicy.p7b
Version: 33284.17421.33440.335
STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated
SUCCESS: NO UPDATES ARE REQUIRED.
PS C:\Program Files\PowerShell\7>
My Computers
System One System Two
-
- OS
- Windows 11 Home, ver 25H2 build 26200.8246
- Computer type
- Laptop
- Manufacturer/Model
- Hewlett-Packard Spectre 13-4001 x360 convertable
- CPU
- Intel Core i5 5200U @ 2.20GH
- Motherboard
- Hewlett-Packard 802D
- Memory
- 4 GB
- Graphics Card(s)
- Intel HD Graphics 5500 on board
- Sound Card
- Intel Smart Sound Technology (Intel SST)
- Hard Drives
- Micron 256GB M.2 2280 NGFF SSD MTFDDAV256TBN, (SATA 6.0 Gb/s)
- Keyboard
- Model # G01KB
- Antivirus
- Microsoft Defender
- Other Info
- born on date: 25 Feb 2016
-
- Operating System
- Win 11 Home 25H2 build 26200.7922
- Computer type
- PC/Desktop
- Manufacturer/Model
- Asus Desktop model M32AD-US019S (DOM: 6/9/2014 )
- CPU
- Intel Core i7 4th Gen 4790 (3.60GHz), Haswell 22nm Technology, SOCKET 1150
- Motherboard
- H81M-E/M51AD/DP_MB
- Memory
- Samsung 16 GB DDR3 (8GB in 2 modules)
- Graphics card(s)
- NVIDIA GeForce GTX 760, 3GB, and on-board Intel HD Graphics 4600 Rev 6
- Monitor(s) Displays
- HP EliteDisplay E241i LED; HP EliteDisplay E243
- Hard Drives
- Samsung 500GB SSD, 870 EVO (SATA 6.0 )
Micron 250GB SSD, CT250MX500
Toshiba HDD, 3GB (original drive w/PC)
- Case
- ASUS
- Keyboard
- ASUS-------------------------
- Antivirus
- MS Defender
- Other Info
- Additional Laptops:
HEWLETT PACKARD
HP OmniBook X Flip NGAI (Next Gen AI),
Model: 16-as0023dx
PT# B5UH1UA#ABA Product #: B5UH1UA
delivered and setup 7/25/25
16" 2K Touch-Screen Laptop
Intel Core Ultra 7 256V '24 Series 2 - CPU
Boost Clock Frequency 4.8 gigahertz; Neural Processing Unit (NPU) Yes;
16GB Memory, LPDDR5X
1TB SSD PCIe 4.0
Graphics: Intel Arc 140V
1 x HDMI 2.1
1 x Thunderbolt 4
2K Touch-Screen display, LED, IPS; 1920 x 1200 (Full HD+)
USB Ports: 1 x USB-C 3.1, 2 x USB-A 3.1
Wi-Fi 6E
weight 4.15 pounds
DELL
Model:I7591-7483BLK-PUS 2-in-1 (7000 Series)
purchased 12/3/2019,
15.6 inch 2-IN-1;
4K Ultra HD Touch-Screen, 3840 x 2160,
Intel Core i7 10510U CPU 1.80GHz,
16GB RAM DDR4 SDRAM 2400 megahert (2 slots),
dedicated graphics Nvidia GeForce MX250 2 GB Graphics,
PCIe 512GB Intel SSD + 32GB Optane Memory (Intel Optane Memory H10 with solid-state storage),
wireless-AX & Bluetooth
Battery: 68wh, Type 4VGMP 4 cell
- Local time
- 3:55 PM
- Posts
- 83
- OS
- Windows 11
Use the update script as mentioned above.
I'll have to add some reminders to the REQUIRED ACTION, for users to update their bootable USB drives. The problem is the boot file only changes after a security hole is closed, so there isn't a timetable of when you should be doing this. You could go months without needing any changes. Once you have updated to CA 2023 and revoked CA 2011, the only expected (or rather unexpected) Secure Boot changes will be for the boot manager.
The certs only need to be switched once, but the boot manager may update many times over the years.
Just remember, if you really need to recover from backups, you can always temporarily disable Secure Boot and fix the problem later.
My Computer
System One
-
- OS
- Windows 7
- Local time
- 3:55 PM
- Posts
- 410
- OS
- Windows 11 Home, ver 25H2 build 26200.8246
I ran the script Update_UEFI-CA2023.ps1 -BootMedia from the post mentioned and it reported success. When I tried to boot from the USB stick I got this blue screen:
Do I need to delete all the certs to get to Setup Mode and start over?
Do I need to delete all the certs to get to Setup Mode and start over?
My Computers
System One System Two
-
- OS
- Windows 11 Home, ver 25H2 build 26200.8246
- Computer type
- Laptop
- Manufacturer/Model
- Hewlett-Packard Spectre 13-4001 x360 convertable
- CPU
- Intel Core i5 5200U @ 2.20GH
- Motherboard
- Hewlett-Packard 802D
- Memory
- 4 GB
- Graphics Card(s)
- Intel HD Graphics 5500 on board
- Sound Card
- Intel Smart Sound Technology (Intel SST)
- Hard Drives
- Micron 256GB M.2 2280 NGFF SSD MTFDDAV256TBN, (SATA 6.0 Gb/s)
- Keyboard
- Model # G01KB
- Antivirus
- Microsoft Defender
- Other Info
- born on date: 25 Feb 2016
-
- Operating System
- Win 11 Home 25H2 build 26200.7922
- Computer type
- PC/Desktop
- Manufacturer/Model
- Asus Desktop model M32AD-US019S (DOM: 6/9/2014 )
- CPU
- Intel Core i7 4th Gen 4790 (3.60GHz), Haswell 22nm Technology, SOCKET 1150
- Motherboard
- H81M-E/M51AD/DP_MB
- Memory
- Samsung 16 GB DDR3 (8GB in 2 modules)
- Graphics card(s)
- NVIDIA GeForce GTX 760, 3GB, and on-board Intel HD Graphics 4600 Rev 6
- Monitor(s) Displays
- HP EliteDisplay E241i LED; HP EliteDisplay E243
- Hard Drives
- Samsung 500GB SSD, 870 EVO (SATA 6.0 )
Micron 250GB SSD, CT250MX500
Toshiba HDD, 3GB (original drive w/PC)
- Case
- ASUS
- Keyboard
- ASUS-------------------------
- Antivirus
- MS Defender
- Other Info
- Additional Laptops:
HEWLETT PACKARD
HP OmniBook X Flip NGAI (Next Gen AI),
Model: 16-as0023dx
PT# B5UH1UA#ABA Product #: B5UH1UA
delivered and setup 7/25/25
16" 2K Touch-Screen Laptop
Intel Core Ultra 7 256V '24 Series 2 - CPU
Boost Clock Frequency 4.8 gigahertz; Neural Processing Unit (NPU) Yes;
16GB Memory, LPDDR5X
1TB SSD PCIe 4.0
Graphics: Intel Arc 140V
1 x HDMI 2.1
1 x Thunderbolt 4
2K Touch-Screen display, LED, IPS; 1920 x 1200 (Full HD+)
USB Ports: 1 x USB-C 3.1, 2 x USB-A 3.1
Wi-Fi 6E
weight 4.15 pounds
DELL
Model:I7591-7483BLK-PUS 2-in-1 (7000 Series)
purchased 12/3/2019,
15.6 inch 2-IN-1;
4K Ultra HD Touch-Screen, 3840 x 2160,
Intel Core i7 10510U CPU 1.80GHz,
16GB RAM DDR4 SDRAM 2400 megahert (2 slots),
dedicated graphics Nvidia GeForce MX250 2 GB Graphics,
PCIe 512GB Intel SSD + 32GB Optane Memory (Intel Optane Memory H10 with solid-state storage),
wireless-AX & Bluetooth
Battery: 68wh, Type 4VGMP 4 cell
rtorres
Active member
I didn't get any output after running that command:
PS C:\WINDOWS\system32> Get-Disk | Where-Object {$_.IsSystem -eq $true}
PS C:\WINDOWS\system32>
If you are interested, I have attached the ps1 file to this response.
My Computers
System One System Two
-
- OS
- Windows 11 Enterprise 26H1
- Computer type
- Laptop
- Manufacturer/Model
- Lenovo ThinkPad X1 Carbon Gen 12
- CPU
- Intel Core Ultra 7 (Liquid Metal)
- Motherboard
- OEM
- Memory
- 32GB DDR5
- Graphics Card(s)
- Intel Graphics (Integrated)
- Sound Card
- Realtek
- Monitor(s) Displays
- Lenovo OLED
- Screen Resolution
- 2880x1800
- Hard Drives
- 2TB Samsung 990 Pro
- PSU
- OEM
- Case
- OEM
- Cooling
- OEM
- Keyboard
- ru-RU
- Mouse
- Lenovo Haptic Touchpad
- Internet Speed
- 2Gbps (Xfinity ISP)
- Browser
- Chromium, Firefox
- Antivirus
- Windows Security
-
- Operating System
- Windows 11 Enterprise 26H1
- Computer type
- PC/Desktop
- Manufacturer/Model
- Lenovo P3 Ultra
- CPU
- Intel Core i9-13900 (Delidded, Liquid Metal)
- Motherboard
- OEM
- Memory
- 64GB DDR5
- Graphics card(s)
- EVGA GeForce RTX 3090 FTW3 Ultra
- Sound Card
- Reaktek
- Monitor(s) Displays
- 49" Odyssey OLED G9 (G95SC)
- Screen Resolution
- 5120x1440
- Hard Drives
- 512GB NVMe (OS), 4TB NVMe (Folders, Games)
- PSU
- Thermaltake Smart M 650W Bronze
- Case
- OEM
- Cooling
- OEM
- Keyboard
- Razer Huntsman V3 Pro 8KHz
- Mouse
- Razer Basilisk V3 Pro 35K
- Internet Speed
- 2Gbps (Xfinity ISP)
- Browser
- Chromium, Firefox
- Antivirus
- Windows Security
- Local time
- 3:55 PM
- Posts
- 410
- OS
- Windows 11 Home, ver 25H2 build 26200.8246
I did use the version linked in post # 1304, but I went ahead and ran the above link which should be the same and got a success report
but when booting from the Macrium free USB recovery stick the same blue screen resulted. I ran just now both Check_UEFI-CA2023.ps1 and Check_UEFI-CA2023Test.ps1 to see what version of the SkuSiPolicy.p7b is reported. See below.
PS C:\Users\theislands> powershell -nop -ep bypass -f C:\temp\Check_UEFI-CA2023.ps1 -verbose
Windows 11 25H2 (26200.8246)
Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF
BIOS Firmware
-------------
ASUSTeK COMPUTER INC. K30AD_M31AD_M51AD
Version: 0802
Date: 2015-08-02
Factory Default UEFI PK Cert
----------------------------
(NONE)
UEFI PK Cert
------------
Windows OEM Devices PK
Factory Default UEFI KEK Certs
------------------------------
(NONE)
UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
Factory Default UEFI DB Certs
-----------------------------
(NONE)
UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 0
UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0
EFI_CERT_SHA256_GUID Signatures: 439
EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 8.0
Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.
STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated
SUCCESS: UPDATES ARE FINISHED. UEFI CA 2023 certs are present, PCA 2011 cert is revoked.
PS C:\Users\theislands> powershell -nop -ep bypass -f C:\temp\Check_UEFI-CA2023test.ps1 -verbose
Windows 11 25H2 (26200.8246)
Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF
BIOS Firmware
-------------
ASUSTeK COMPUTER INC. K30AD_M31AD_M51AD
Version: 0802
Date: 2015-08-02
Factory Default UEFI PK Cert
----------------------------
(NONE)
UEFI PK Cert
------------
Windows OEM Devices PK
Factory Default UEFI KEK Certs
------------------------------
(NONE)
UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
Factory Default UEFI DB Certs
-----------------------------
(NONE)
UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 0
UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0
EFI_CERT_SHA256_GUID Signatures: 439
EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 8.0
Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.
SkuSiPolicy.p7b is CURRENT.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\SkuSiPolicy.p7b
Version: 33284.17421.33440.335
STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated
SUCCESS: NO UPDATES ARE REQUIRED.
PS C:\Users\theislands>
but when booting from the Macrium free USB recovery stick the same blue screen resulted. I ran just now both Check_UEFI-CA2023.ps1 and Check_UEFI-CA2023Test.ps1 to see what version of the SkuSiPolicy.p7b is reported. See below.
PS C:\Users\theislands> powershell -nop -ep bypass -f C:\temp\Check_UEFI-CA2023.ps1 -verbose
Windows 11 25H2 (26200.8246)
Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF
BIOS Firmware
-------------
ASUSTeK COMPUTER INC. K30AD_M31AD_M51AD
Version: 0802
Date: 2015-08-02
Factory Default UEFI PK Cert
----------------------------
(NONE)
UEFI PK Cert
------------
Windows OEM Devices PK
Factory Default UEFI KEK Certs
------------------------------
(NONE)
UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
Factory Default UEFI DB Certs
-----------------------------
(NONE)
UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 0
UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0
EFI_CERT_SHA256_GUID Signatures: 439
EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 8.0
Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.
STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated
SUCCESS: UPDATES ARE FINISHED. UEFI CA 2023 certs are present, PCA 2011 cert is revoked.
PS C:\Users\theislands> powershell -nop -ep bypass -f C:\temp\Check_UEFI-CA2023test.ps1 -verbose
Windows 11 25H2 (26200.8246)
Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF
BIOS Firmware
-------------
ASUSTeK COMPUTER INC. K30AD_M31AD_M51AD
Version: 0802
Date: 2015-08-02
Factory Default UEFI PK Cert
----------------------------
(NONE)
UEFI PK Cert
------------
Windows OEM Devices PK
Factory Default UEFI KEK Certs
------------------------------
(NONE)
UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
Factory Default UEFI DB Certs
-----------------------------
(NONE)
UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 0
UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0
EFI_CERT_SHA256_GUID Signatures: 439
EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 8.0
Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.
SkuSiPolicy.p7b is CURRENT.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\SkuSiPolicy.p7b
Version: 33284.17421.33440.335
STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated
SUCCESS: NO UPDATES ARE REQUIRED.
PS C:\Users\theislands>
My Computers
System One System Two
-
- OS
- Windows 11 Home, ver 25H2 build 26200.8246
- Computer type
- Laptop
- Manufacturer/Model
- Hewlett-Packard Spectre 13-4001 x360 convertable
- CPU
- Intel Core i5 5200U @ 2.20GH
- Motherboard
- Hewlett-Packard 802D
- Memory
- 4 GB
- Graphics Card(s)
- Intel HD Graphics 5500 on board
- Sound Card
- Intel Smart Sound Technology (Intel SST)
- Hard Drives
- Micron 256GB M.2 2280 NGFF SSD MTFDDAV256TBN, (SATA 6.0 Gb/s)
- Keyboard
- Model # G01KB
- Antivirus
- Microsoft Defender
- Other Info
- born on date: 25 Feb 2016
-
- Operating System
- Win 11 Home 25H2 build 26200.7922
- Computer type
- PC/Desktop
- Manufacturer/Model
- Asus Desktop model M32AD-US019S (DOM: 6/9/2014 )
- CPU
- Intel Core i7 4th Gen 4790 (3.60GHz), Haswell 22nm Technology, SOCKET 1150
- Motherboard
- H81M-E/M51AD/DP_MB
- Memory
- Samsung 16 GB DDR3 (8GB in 2 modules)
- Graphics card(s)
- NVIDIA GeForce GTX 760, 3GB, and on-board Intel HD Graphics 4600 Rev 6
- Monitor(s) Displays
- HP EliteDisplay E241i LED; HP EliteDisplay E243
- Hard Drives
- Samsung 500GB SSD, 870 EVO (SATA 6.0 )
Micron 250GB SSD, CT250MX500
Toshiba HDD, 3GB (original drive w/PC)
- Case
- ASUS
- Keyboard
- ASUS-------------------------
- Antivirus
- MS Defender
- Other Info
- Additional Laptops:
HEWLETT PACKARD
HP OmniBook X Flip NGAI (Next Gen AI),
Model: 16-as0023dx
PT# B5UH1UA#ABA Product #: B5UH1UA
delivered and setup 7/25/25
16" 2K Touch-Screen Laptop
Intel Core Ultra 7 256V '24 Series 2 - CPU
Boost Clock Frequency 4.8 gigahertz; Neural Processing Unit (NPU) Yes;
16GB Memory, LPDDR5X
1TB SSD PCIe 4.0
Graphics: Intel Arc 140V
1 x HDMI 2.1
1 x Thunderbolt 4
2K Touch-Screen display, LED, IPS; 1920 x 1200 (Full HD+)
USB Ports: 1 x USB-C 3.1, 2 x USB-A 3.1
Wi-Fi 6E
weight 4.15 pounds
DELL
Model:I7591-7483BLK-PUS 2-in-1 (7000 Series)
purchased 12/3/2019,
15.6 inch 2-IN-1;
4K Ultra HD Touch-Screen, 3840 x 2160,
Intel Core i7 10510U CPU 1.80GHz,
16GB RAM DDR4 SDRAM 2400 megahert (2 slots),
dedicated graphics Nvidia GeForce MX250 2 GB Graphics,
PCIe 512GB Intel SSD + 32GB Optane Memory (Intel Optane Memory H10 with solid-state storage),
wireless-AX & Bluetooth
Battery: 68wh, Type 4VGMP 4 cell
Latest Support Threads
-
-
-
Changing MS Accounts - Handling Onedrive Folder(s)- Started by Caledon Ken
- Replies: 0
-
-
Latest Tutorials
-
Browsers and Mail Enable or Disable Show Frequent Sites on Taskbar for Microsoft Edge on Windows 11- Started by Brink
- Replies: 0
-
System Change Adaptive Communication Sound Levels in Windows 11- Started by Brink
- Replies: 0
-
Browsers and Mail Enable or Disable Automatically Upgrade Accounts to use Passkeys in Microsoft Edge- Started by Brink
- Replies: 0
-
-
Browsers and Mail Refresh or Hard Refresh Page in Microsoft Edge on Windows 11- Started by Brink
- Replies: 0